[thirdparty/openssl.git] / crypto / ec / curve448 / eddsa.c

/*
 * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2015-2016 Cryptography Research, Inc.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Mike Hamburg
 */
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "crypto/ecx.h"
#include "curve448_local.h"
#include "word.h"
#include "ed448.h"
#include "internal/numbers.h"

#define COFACTOR 4

static c448_error_t oneshot_hash(OSSL_LIB_CTX *ctx, uint8_t *out, size_t outlen,
                                 const uint8_t *in, size_t inlen,
                                 const char *propq)
{
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    EVP_MD *shake256 = NULL;
    c448_error_t ret = C448_FAILURE;

    if (hashctx == NULL)
        return C448_FAILURE;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
    if (shake256 == NULL)
        goto err;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
            || !EVP_DigestUpdate(hashctx, in, inlen)
            || !EVP_DigestFinalXOF(hashctx, out, outlen))
        goto err;

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    EVP_MD_free(shake256);
    return ret;
}

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
    secret_scalar_ser[0] &= -COFACTOR;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
}

static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
                                       uint8_t prehashed,
                                       uint8_t for_prehash,
                                       const uint8_t *context,
                                       size_t context_len,
                                       const char *propq)
{
    /* ASCII: "SigEd448", in hex for EBCDIC compatibility */
    const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
    uint8_t dom[2];
    EVP_MD *shake256 = NULL;

    if (context_len > UINT8_MAX)
        return C448_FAILURE;

    dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
                       - (for_prehash == 0 ? 1 : 0));
    dom[1] = (uint8_t)context_len;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
    if (shake256 == NULL)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
            || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1)
            || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
            || !EVP_DigestUpdate(hashctx, context, context_len)) {
        EVP_MD_free(shake256);
        return C448_FAILURE;
    }

    EVP_MD_free(shake256);
    return C448_SUCCESS;
}

/* In this file because it uses the hash */
c448_error_t
ossl_c448_ed448_convert_private_key_to_x448(
                            OSSL_LIB_CTX *ctx,
                            uint8_t x[X448_PRIVATE_BYTES],
                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES],
                            const char *propq)
{
    /* pass the private key through oneshot_hash function */
    /* and keep the first X448_PRIVATE_BYTES bytes */
    return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
                        EDDSA_448_PRIVATE_BYTES, propq);
}

c448_error_t
ossl_c448_ed448_derive_public_key(
                        OSSL_LIB_CTX *ctx,
                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const char *propq)
{
    /* only this much used for keygen */
    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
    curve448_scalar_t secret_scalar;
    unsigned int c;
    curve448_point_t p;

    if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
                      privkey,
                      EDDSA_448_PRIVATE_BYTES,
                      propq))
        return C448_FAILURE;

    clamp(secret_scalar_ser);

    ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
                                     sizeof(secret_scalar_ser));

    /*
     * Since we are going to mul_by_cofactor during encoding, divide by it
     * here. However, the EdDSA base point is not the same as the decaf base
     * point if the sigma isogeny is in use: the EdDSA base point is on
     * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
     * converted it effectively picks up a factor of 2 from the isogenies.  So
     * we might start at 2 instead of 1.
     */
    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
        ossl_curve448_scalar_halve(secret_scalar, secret_scalar);

    ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
                                        secret_scalar);

    ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

    /* Cleanup */
    ossl_curve448_scalar_destroy(secret_scalar);
    ossl_curve448_point_destroy(p);
    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));

    return C448_SUCCESS;
}

c448_error_t
ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx,
                     uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                     const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                     const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                     const uint8_t *message, size_t message_len,
                     uint8_t prehashed, const uint8_t *context,
                     size_t context_len, const char *propq)
{
    curve448_scalar_t secret_scalar;
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    c448_error_t ret = C448_FAILURE;
    curve448_scalar_t nonce_scalar;
    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
    unsigned int c;
    curve448_scalar_t challenge_scalar;

    if (hashctx == NULL)
        return C448_FAILURE;

    {
        /*
         * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
         * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
         */
        uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];

        if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
                          EDDSA_448_PRIVATE_BYTES, propq))
            goto err;
        clamp(expanded);
        ossl_curve448_scalar_decode_long(secret_scalar, expanded,
                                         EDDSA_448_PRIVATE_BYTES);

        /* Hash to create the nonce */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                                context_len, propq)
                || !EVP_DigestUpdate(hashctx,
                                     expanded + EDDSA_448_PRIVATE_BYTES,
                                     EDDSA_448_PRIVATE_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)) {
            OPENSSL_cleanse(expanded, sizeof(expanded));
            goto err;
        }
        OPENSSL_cleanse(expanded, sizeof(expanded));
    }

    /* Decode the nonce */
    {
        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
            goto err;
        ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
        OPENSSL_cleanse(nonce, sizeof(nonce));
    }

    {
        /* Scalarmul to create the nonce-point */
        curve448_scalar_t nonce_scalar_2;
        curve448_point_t p;

        ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
            ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);

        ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
                                            nonce_scalar_2);
        ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
        ossl_curve448_point_destroy(p);
        ossl_curve448_scalar_destroy(nonce_scalar_2);
    }

    {
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
                                propq)
                || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
                || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)
                || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
            goto err;

        ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
                                         sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }

    ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
    ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
    memcpy(signature, nonce_point, sizeof(nonce_point));
    ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
                                challenge_scalar);

    ossl_curve448_scalar_destroy(secret_scalar);
    ossl_curve448_scalar_destroy(nonce_scalar);
    ossl_curve448_scalar_destroy(challenge_scalar);

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    return ret;
}

c448_error_t
ossl_c448_ed448_sign_prehash(
                        OSSL_LIB_CTX *ctx,
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t hash[64], const uint8_t *context,
                        size_t context_len, const char *propq)
{
    return ossl_c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
                                context, context_len, propq);
}

c448_error_t
ossl_c448_ed448_verify(
                    OSSL_LIB_CTX *ctx,
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t *message, size_t message_len,
                    uint8_t prehashed, const uint8_t *context,
                    uint8_t context_len, const char *propq)
{
    curve448_point_t pk_point, r_point;
    c448_error_t error;
    curve448_scalar_t challenge_scalar;
    curve448_scalar_t response_scalar;
    /* Order in little endian format */
    static const uint8_t order[] = {
        0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
        0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
        0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
    };
    int i;

    /*
     * Check that s (second 57 bytes of the sig) is less than the order. Both
     * s and the order are in little-endian format. This can be done in
     * variable time, since if this is not the case the signature if publicly
     * invalid.
     */
    for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
        if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
            return C448_FAILURE;
        if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
            break;
    }
    if (i < 0)
        return C448_FAILURE;

    error =
        ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);

    if (C448_SUCCESS != error)
        return error;

    error =
        ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
    if (C448_SUCCESS != error)
        return error;

    {
        /* Compute the challenge */
        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL
                || !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                                       context_len, propq)
                || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)
                || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
            EVP_MD_CTX_free(hashctx);
            return C448_FAILURE;
        }

        EVP_MD_CTX_free(hashctx);
        ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
                                         sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }
    ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
                             challenge_scalar);

    ossl_curve448_scalar_decode_long(response_scalar,
                                     &signature[EDDSA_448_PUBLIC_BYTES],
                                     EDDSA_448_PRIVATE_BYTES);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */
    ossl_curve448_base_double_scalarmul_non_secret(pk_point,
                                                   response_scalar,
                                                   pk_point, challenge_scalar);
    return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
}

c448_error_t
ossl_c448_ed448_verify_prehash(
                    OSSL_LIB_CTX *ctx,
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t hash[64], const uint8_t *context,
                    uint8_t context_len, const char *propq)
{
    return ossl_c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
                                  context_len, propq);
}

int
ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig,
                const uint8_t *message, size_t message_len,
                const uint8_t public_key[57], const uint8_t private_key[57],
                const uint8_t *context, size_t context_len,
                const uint8_t phflag, const char *propq)
{
    return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
                                message_len, phflag, context, context_len,
                                propq) == C448_SUCCESS;
}

int
ossl_ed448_verify(OSSL_LIB_CTX *ctx,
                  const uint8_t *message, size_t message_len,
                  const uint8_t signature[114], const uint8_t public_key[57],
                  const uint8_t *context, size_t context_len,
                  const uint8_t phflag, const char *propq)
{
    return ossl_c448_ed448_verify(ctx, signature, public_key, message,
                                  message_len, phflag, context, (uint8_t)context_len,
                                  propq) == C448_SUCCESS;
}

int
ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
                               const uint8_t private_key[57], const char *propq)
{
    return ossl_c448_ed448_derive_public_key(ctx, out_public_key, private_key,
                                             propq) == C448_SUCCESS;
}
Commit	Line	Data
1308e022	1	/*
da1c088f	2	* Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
1308e022	3	* Copyright 2015-2016 Cryptography Research, Inc.
7324473f	4	*
a7f182b7	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
1308e022 MC	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
7324473f	9	*
1308e022	10	* Originally written by Mike Hamburg
7324473f	11	*/
53ef3252	12	#include <string.h>
b6e388ba	13	#include <openssl/crypto.h>
a242839f	14	#include <openssl/evp.h>
3965480c	15	#include "crypto/ecx.h"
706457b7	16	#include "curve448_local.h"
7324473f	17	#include "word.h"
a2039c87	18	#include "ed448.h"
a242839f	19	#include "internal/numbers.h"
7324473f	20
7324473f	21	#define COFACTOR 4
7324473f	22
b4250010	23	static c448_error_t oneshot_hash(OSSL_LIB_CTX ctx, uint8_t out, size_t outlen,
8dbef010 SL	24	const uint8_t *in, size_t inlen,
8dbef010 SL	25	const char *propq)
a242839f MC	26	{
a242839f MC	27	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
a9612d6c MC	28	EVP_MD *shake256 = NULL;
a9612d6c MC	29	c448_error_t ret = C448_FAILURE;
a242839f MC	30
a242839f MC	31	if (hashctx == NULL)
aeeef83c	32	return C448_FAILURE;
a242839f	33
8dbef010	34	shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
a9612d6c MC	35	if (shake256 == NULL)
	36	goto err;
	37
	38	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
04ebd4e1	39	\|\| !EVP_DigestUpdate(hashctx, in, inlen)
a9612d6c MC	40	\|\| !EVP_DigestFinalXOF(hashctx, out, outlen))
a9612d6c MC	41	goto err;
a242839f	42
a9612d6c MC	43	ret = C448_SUCCESS;
a9612d6c MC	44	err:
a242839f	45	EVP_MD_CTX_free(hashctx);
3fd70262	46	EVP_MD_free(shake256);
a9612d6c	47	return ret;
a242839f MC	48	}
a242839f MC	49
db90b274	50	static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
205fd638	51	{
7324473f	52	secret_scalar_ser[0] &= -COFACTOR;
9c9d6ff4 MC	53	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
9c9d6ff4 MC	54	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
7324473f MC	55	}
7324473f MC	56
b4250010	57	static c448_error_t hash_init_with_dom(OSSL_LIB_CTX ctx, EVP_MD_CTX hashctx,
a9612d6c	58	uint8_t prehashed,
aeeef83c MC	59	uint8_t for_prehash,
aeeef83c MC	60	const uint8_t *context,
8dbef010 SL	61	size_t context_len,
8dbef010 SL	62	const char *propq)
205fd638	63	{
836080a8 JM	64	/* ASCII: "SigEd448", in hex for EBCDIC compatibility */
836080a8 JM	65	const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
094c071c	66	uint8_t dom[2];
a9612d6c	67	EVP_MD *shake256 = NULL;
094c071c	68
a242839f	69	if (context_len > UINT8_MAX)
aeeef83c	70	return C448_FAILURE;
7324473f	71
a7232276 MC	72	dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
a7232276 MC	73	- (for_prehash == 0 ? 1 : 0));
53ef3252 MC	74	dom[1] = (uint8_t)context_len;
53ef3252 MC	75
8dbef010	76	shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
a9612d6c MC	77	if (shake256 == NULL)
	78	return C448_FAILURE;
	79
	80	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
836080a8	81	\|\| !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1)
04ebd4e1	82	\|\| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
a9612d6c	83	\|\| !EVP_DigestUpdate(hashctx, context, context_len)) {
3fd70262	84	EVP_MD_free(shake256);
aeeef83c	85	return C448_FAILURE;
a9612d6c	86	}
a242839f	87
3fd70262	88	EVP_MD_free(shake256);
aeeef83c	89	return C448_SUCCESS;
7324473f MC	90	}
7324473f MC	91
7324473f	92	/* In this file because it uses the hash */
054d43ff SL	93	c448_error_t
054d43ff SL	94	ossl_c448_ed448_convert_private_key_to_x448(
b4250010	95	OSSL_LIB_CTX *ctx,
db90b274	96	uint8_t x[X448_PRIVATE_BYTES],
8dbef010 SL	97	const uint8_t ed [EDDSA_448_PRIVATE_BYTES],
8dbef010 SL	98	const char *propq)
205fd638	99	{
a242839f	100	/* pass the private key through oneshot_hash function */
db90b274	101	/* and keep the first X448_PRIVATE_BYTES bytes */
a9612d6c	102	return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
8dbef010	103	EDDSA_448_PRIVATE_BYTES, propq);
7324473f	104	}
205fd638	105
054d43ff SL	106	c448_error_t
054d43ff SL	107	ossl_c448_ed448_derive_public_key(
b4250010	108	OSSL_LIB_CTX *ctx,
db90b274	109	uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8dbef010 SL	110	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
8dbef010 SL	111	const char *propq)
205fd638	112	{
7324473f	113	/* only this much used for keygen */
db90b274	114	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
094c071c MC	115	curve448_scalar_t secret_scalar;
	116	unsigned int c;
	117	curve448_point_t p;
	118
a9612d6c MC	119	if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
a9612d6c MC	120	privkey,
8dbef010 SL	121	EDDSA_448_PRIVATE_BYTES,
8dbef010 SL	122	propq))
aeeef83c	123	return C448_FAILURE;
8d55f844	124
7324473f	125	clamp(secret_scalar_ser);
094c071c	126
054d43ff SL	127	ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
054d43ff SL	128	sizeof(secret_scalar_ser));
205fd638 MC	129
	130	/*
	131	* Since we are going to mul_by_cofactor during encoding, divide by it
	132	* here. However, the EdDSA base point is not the same as the decaf base
	133	* point if the sigma isogeny is in use: the EdDSA base point is on
	134	* Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
	135	* converted it effectively picks up a factor of 2 from the isogenies. So
	136	* we might start at 2 instead of 1.
7324473f	137	*/
db90b274	138	for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
054d43ff	139	ossl_curve448_scalar_halve(secret_scalar, secret_scalar);
205fd638	140
054d43ff SL	141	ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
054d43ff SL	142	secret_scalar);
205fd638	143
054d43ff	144	ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
205fd638	145
7324473f	146	/* Cleanup */
054d43ff SL	147	ossl_curve448_scalar_destroy(secret_scalar);
054d43ff SL	148	ossl_curve448_point_destroy(p);
b6e388ba	149	OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
a242839f	150
aeeef83c	151	return C448_SUCCESS;
7324473f MC	152	}
7324473f MC	153
054d43ff SL	154	c448_error_t
	155	ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx,
	156	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	157	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	158	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
	159	const uint8_t *message, size_t message_len,
	160	uint8_t prehashed, const uint8_t *context,
	161	size_t context_len, const char *propq)
205fd638	162	{
e7772577	163	curve448_scalar_t secret_scalar;
a242839f	164	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
aeeef83c	165	c448_error_t ret = C448_FAILURE;
094c071c	166	curve448_scalar_t nonce_scalar;
db90b274	167	uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
094c071c MC	168	unsigned int c;
094c071c MC	169	curve448_scalar_t challenge_scalar;
a242839f MC	170
a242839f MC	171	if (hashctx == NULL)
aeeef83c	172	return C448_FAILURE;
a242839f	173
7324473f	174	{
52a9587c	175	/*
aa97970c	176	* Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
52a9587c MC	177	* secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
	178	*/
	179	uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
a242839f	180
a9612d6c	181	if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
8dbef010	182	EDDSA_448_PRIVATE_BYTES, propq))
a242839f	183	goto err;
52a9587c	184	clamp(expanded);
054d43ff SL	185	ossl_curve448_scalar_decode_long(secret_scalar, expanded,
054d43ff SL	186	EDDSA_448_PRIVATE_BYTES);
205fd638	187
7324473f	188	/* Hash to create the nonce */
a9612d6c	189	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
8dbef010	190	context_len, propq)
04ebd4e1 MC	191	\|\| !EVP_DigestUpdate(hashctx,
	192	expanded + EDDSA_448_PRIVATE_BYTES,
	193	EDDSA_448_PRIVATE_BYTES)
28c5b7d4	194	\|\| !EVP_DigestUpdate(hashctx, message, message_len)) {
68b20c00	195	OPENSSL_cleanse(expanded, sizeof(expanded));
a242839f MC	196	goto err;
a242839f MC	197	}
52a9587c	198	OPENSSL_cleanse(expanded, sizeof(expanded));
7324473f	199	}
205fd638	200
7324473f	201	/* Decode the nonce */
7324473f	202	{
db90b274	203	uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	204
	205	if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
	206	goto err;
054d43ff	207	ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
b6e388ba	208	OPENSSL_cleanse(nonce, sizeof(nonce));
7324473f	209	}
094c071c	210
7324473f MC	211	{
7324473f MC	212	/* Scalarmul to create the nonce-point */
e7772577	213	curve448_scalar_t nonce_scalar_2;
094c071c MC	214	curve448_point_t p;
094c071c MC	215
054d43ff	216	ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
68b20c00	217	for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
054d43ff	218	ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
094c071c	219
054d43ff SL	220	ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
	221	nonce_scalar_2);
	222	ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
	223	ossl_curve448_point_destroy(p);
	224	ossl_curve448_scalar_destroy(nonce_scalar_2);
7324473f	225	}
094c071c	226
7324473f	227	{
db90b274	228	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	229
a242839f MC	230	/* Compute the challenge */
8dbef010 SL	231	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
8dbef010 SL	232	propq)
68b20c00 MC	233	\|\| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
68b20c00 MC	234	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
28c5b7d4	235	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
68b20c00	236	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
a242839f MC	237	goto err;
a242839f MC	238
054d43ff SL	239	ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
054d43ff SL	240	sizeof(challenge));
205fd638	241	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	242	}
205fd638	243
054d43ff SL	244	ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
054d43ff SL	245	ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
205fd638	246
db90b274	247	OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
205fd638	248	memcpy(signature, nonce_point, sizeof(nonce_point));
054d43ff SL	249	ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
054d43ff SL	250	challenge_scalar);
205fd638	251
054d43ff SL	252	ossl_curve448_scalar_destroy(secret_scalar);
	253	ossl_curve448_scalar_destroy(nonce_scalar);
	254	ossl_curve448_scalar_destroy(challenge_scalar);
a242839f	255
aeeef83c	256	ret = C448_SUCCESS;
a242839f MC	257	err:
	258	EVP_MD_CTX_free(hashctx);
	259	return ret;
7324473f MC	260	}
7324473f MC	261
054d43ff SL	262	c448_error_t
054d43ff SL	263	ossl_c448_ed448_sign_prehash(
b4250010	264	OSSL_LIB_CTX *ctx,
db90b274 MC	265	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	266	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	267	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c	268	const uint8_t hash[64], const uint8_t *context,
8dbef010	269	size_t context_len, const char *propq)
205fd638	270	{
054d43ff SL	271	return ossl_c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
054d43ff SL	272	context, context_len, propq);
7324473f MC	273	}
7324473f MC	274
054d43ff SL	275	c448_error_t
054d43ff SL	276	ossl_c448_ed448_verify(
b4250010	277	OSSL_LIB_CTX *ctx,
db90b274 MC	278	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	279	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	280	const uint8_t *message, size_t message_len,
aeeef83c MC	281	uint8_t prehashed, const uint8_t *context,
8dbef010	282	uint8_t context_len, const char *propq)
205fd638	283	{
e7772577	284	curve448_point_t pk_point, r_point;
08afd2f3	285	c448_error_t error;
094c071c MC	286	curve448_scalar_t challenge_scalar;
094c071c MC	287	curve448_scalar_t response_scalar;
08afd2f3 MC	288	/* Order in little endian format */
	289	static const uint8_t order[] = {
	290	0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
	291	0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
	292	0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	293	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	294	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
	295	};
	296	int i;
	297
	298	/*
	299	* Check that s (second 57 bytes of the sig) is less than the order. Both
	300	* s and the order are in little-endian format. This can be done in
	301	* variable time, since if this is not the case the signature if publicly
	302	* invalid.
	303	*/
	304	for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
	305	if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
	306	return C448_FAILURE;
	307	if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
	308	break;
	309	}
	310	if (i < 0)
	311	return C448_FAILURE;
	312
	313	error =
054d43ff	314	ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
094c071c	315
aeeef83c	316	if (C448_SUCCESS != error)
205fd638	317	return error;
205fd638 MC	318
205fd638 MC	319	error =
054d43ff	320	ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
aeeef83c	321	if (C448_SUCCESS != error)
205fd638	322	return error;
205fd638	323
7324473f MC	324	{
7324473f MC	325	/* Compute the challenge */
a242839f	326	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
db90b274	327	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	328
a242839f MC	329	if (hashctx == NULL
a9612d6c	330	\|\| !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
8dbef010	331	context_len, propq)
e4118223 MC	332	\|\| !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
	333	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
	334	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
	335	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
a242839f	336	EVP_MD_CTX_free(hashctx);
aeeef83c	337	return C448_FAILURE;
a242839f MC	338	}
	339
	340	EVP_MD_CTX_free(hashctx);
054d43ff SL	341	ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
054d43ff SL	342	sizeof(challenge));
205fd638	343	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	344	}
054d43ff SL	345	ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
054d43ff SL	346	challenge_scalar);
205fd638	347
054d43ff SL	348	ossl_curve448_scalar_decode_long(response_scalar,
	349	&signature[EDDSA_448_PUBLIC_BYTES],
	350	EDDSA_448_PRIVATE_BYTES);
205fd638	351
7324473f	352	/* pk_point = -c(x(P)) + (cx + k)G = kG */
054d43ff SL	353	ossl_curve448_base_double_scalarmul_non_secret(pk_point,
	354	response_scalar,
	355	pk_point, challenge_scalar);
	356	return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
7324473f MC	357	}
7324473f MC	358
054d43ff SL	359	c448_error_t
054d43ff SL	360	ossl_c448_ed448_verify_prehash(
b4250010	361	OSSL_LIB_CTX *ctx,
db90b274 MC	362	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	363	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844	364	const uint8_t hash[64], const uint8_t *context,
8dbef010	365	uint8_t context_len, const char *propq)
205fd638	366	{
054d43ff SL	367	return ossl_c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
054d43ff SL	368	context_len, propq);
7324473f	369	}
4ea41daa	370
054d43ff	371	int
836080a8 JM	372	ossl_ed448_sign(OSSL_LIB_CTX ctx, uint8_t out_sig,
	373	const uint8_t *message, size_t message_len,
	374	const uint8_t public_key[57], const uint8_t private_key[57],
	375	const uint8_t *context, size_t context_len,
	376	const uint8_t phflag, const char *propq)
6ea71cba	377	{
054d43ff	378	return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
836080a8	379	message_len, phflag, context, context_len,
054d43ff	380	propq) == C448_SUCCESS;
4ea41daa MC	381	}
4ea41daa MC	382
054d43ff	383	int
836080a8 JM	384	ossl_ed448_verify(OSSL_LIB_CTX *ctx,
836080a8 JM	385	const uint8_t *message, size_t message_len,
054d43ff	386	const uint8_t signature[114], const uint8_t public_key[57],
836080a8 JM	387	const uint8_t *context, size_t context_len,
836080a8 JM	388	const uint8_t phflag, const char *propq)
6ea71cba	389	{
054d43ff	390	return ossl_c448_ed448_verify(ctx, signature, public_key, message,
836080a8	391	message_len, phflag, context, (uint8_t)context_len,
054d43ff	392	propq) == C448_SUCCESS;
4ea41daa MC	393	}
4ea41daa MC	394
054d43ff SL	395	int
	396	ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
	397	const uint8_t private_key[57], const char *propq)
6ea71cba	398	{
054d43ff SL	399	return ossl_c448_ed448_derive_public_key(ctx, out_public_key, private_key,
054d43ff SL	400	propq) == C448_SUCCESS;
4ea41daa	401	}